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Abstract 


In past three decades almost everything has changed in the field of malware 
and malware analysis. From malware created as proof of some security 
concept and malware created for financial gain to malware created to 
sabotage infrastructure. In this work we will focus on history and evolution 
of malware and describe most important malwares. 


1. Introduction 


Forth part is rootkits and ransomwares. 


These were the most dangerous malware 
Malware, short for malicious (or 
before 2010. Then came malware that 


malevolent) software, is software used 


was made for virtual espionage and 

or created by attackers to disrupt 
sabotage. This malwares were created by 
computer operation, gather sensitive 
secret services of some countries. This is 
information, or gain access to private 
the last phase of malware evolution that 
computer systems. It can appear in the 
we are now facing. 

form of code, scripts, active content, and 
In this work we will describe malware 
other software. 'Malware' is a general 
evolution in these five phases. Also in 
term used to refer to a variety of forms 
this work we will not describe all 

of hostile or intrusive software. Malware 
malware, but just malware that were 
includes computer viruses, ransomware, 
great game changers, and was most 


worms, 


trojan 

horses, 

rootkits, 

famous by introduced new things in 
keyloggers, dialers, spyware, adware, 
malware world. 


malicious BHOs and other malicious 


programs; 

the 

majority 

of 

active 

2. Beginnings of malware 


malware threats are usually worms or 


trojans rather than viruses_[1]. 
There were some malware for other 
History of malware can be split to 


platforms before 1986., but in 1986. 


several categories that will also represent 
appeared first malware for PC. It was 
timeframe in which events from that 
virus called Brain.A. Brain.A was 
category happened. So we will split 
developed in Pakistan, by two brothers - 
history of malware in 5 categories. First 
Basit and Amjad. They wanted to prove 
category is early phase of malware. This 
that PC is not secure platform, so they 

is time when first malwares come to life. 
created virus that was replicating using 
Second phase is early Windows phase. It 
floppy disks. It infected booting sector 
will describe first Windows malwares, 
of floppy drive and booting sector of 
first mail worms and macro worms. 
every inserted floppy disk. So anytime 
Third part is evolution of network 


infected floppy would be inserted into 


worms. These threats become popular 
PC, it would infect it's drive, so the drive 
when internet becomes wide spread. 
would infected again every disk inserted. 
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This virus did no harm, and authors were 
Next big step in malware evolution was 
signed in code, with phone numbers and 
introduction of mutation engine (MtE). 
address [2], Intention of early malware 
Mutation Engine was created by 

writers was to point on problems, rather 
Bulgarian hacker who called himself 
than make some harm or damage. But 
Dark Avenger. It was tool that could add 
later of course malware become more 
mutation functionality to viruses, so they 


and more destructive. 


would be harder detected by anti-viruses. 
After Brain there were other viruses. 
Basically this was first polymorphism 
One of the interesting is Omega virus. It 
module that could take any virus and 
was Called Omega because of omega 
make it far more invisible. Until 

sign that it was writing in some 

mutation engine anti-virus software were 
conditions in console. It was infecting 
finding viruses on PCs using file 

boot sector, but was not doing much 
signatures and changes in file signatures. 


damage unless it was Friday 13th. On 


Introduction of polymorphism made this 


that 

day 

PC 

could 

not 

boot. 

method ineffective[5]. 

Michelangelo 

virus 

would 

on 

Virus creation laboratory was first UI 
Michelangelo's birthday in year 1992 
tool for creating viruses. User could 
rewrite first 100 sectors of hard disk[3]. 
select features of virus and create it. This 
Doing this, file allocation table would be 


made virus creation easy. It has some 


destroyed and PC could not boot. V-sign 
disadvantages, but almost anyone using 
is virus that also infected boot sector and 
this GUI tool could create virus[6]. 


wrote V sign on screen every month. 


Walker is next virus that was quite 


visual and appeared in 1992. It was 
3. First windows malwares 


animating walker walking from one side 


of screen to the other. Ambulance virus 
When Windows was released it was 
was quite similar to Walker, animating 
interesting for many users since it gives 
ambulance car driving from one side of 
powerful user interface. That simplicity 
screen to the other, but it also added 


of use attracted many users. Everything 


sound effects of ambulance car. One of 
that has many users in computing world 
the most interesting virus from the 

soon becomes interesting also for 
beginning of 1990' was Casino virus. 
attackers and malware creators. 

Casino virus would copy file allocation 
WinVir was first Microsoft Windows 
table to memory and delete original file 
virus. It was also not doing much harm, 
allocation table. Then he will offer a slot 
it's main feature was that it was 

game to user. User had to get 3 £ signs if 
replicating, and that it was first virus that 
he wants to use his PC and user could try 
has ability to infect windows PE 

three times. If user restarts machine the 
(Portable Executable) files. WinVir was 
file allocation table would be gone, and 


doing little changes to infected files. 


machine would not be able to boot. 
When infected file was executed, 
Same would happen if user loses - file 
WinVir was looking for other PE files 
allocation table would be deleted from 
and was infecting them. While WinVir 
memory as well. If user wins the game, 
was infecting other files original 

virus would copy back file allocation 
executed was rolled back to it's original 
table from memory, and PC could be 
state. To say it simple WinVir was 
used normally. 

deleting itself. 
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Bizatch by Quantum / YLAD 


Monkey was virus that was infecting 
master template, so every new document 
master boot record of hard drives and 
created on that computer would be 
floppies. Monkey was moving first block 
infected[8]. 

of master boot record to third and 
Laroux 


(X97M/Laroux) 


was 

first 

inserting it's own code into first block. 
Microsoft Excel macro virus. It was 
When infected computer was booted it 
written in Visual Basic for Application 
was running normally, unless it was 
(VBA), macro language for Office 
booted from floppy. In this case "Invalid 
documents that was based on Visual 
drive 

specification" 

message 

was 

Basic. It worked on Excel 5.x and Excel 
printed. 

7.x. It also could be run on Windows 
One-half or Slovak bomber was one 
3.x, Windows 95 and Windows NT. It 


interesting 


and 

might 

be 

quite 

was not making any harm, it was just 
destructive virus. It infected master boot 
replicating. 

record, EXE and COM files, but did not 
Boza was first virus that was written 
infected files that in name contained 
specifically for Windows 95. It was 
words like SCAN, CLEAN, FINDVIRU, 
infecting Portable EXE files - files that 
GUARD, NOD, VSAFE, MSAV or 
were using Windows 95 and Windows 
CHKDSK. These files were not infected 
NT. But it was not attacking Windows 
because they might belong to some 

NT. So far, there was no virus detected 


antivirus software, so the virus might be 


that 

was 

written 

particularly 

for 

caught by auto-checking algorithms. It 
Windows NT. Virus was detected on 
was crypting parts of users hard drive 
January 1996. It had Australian origins, 
using XOR function with some key 
but it was detected all over the world. 
known to virus. But if user tries to 
When file infected with Boza would be 
access some crypted file, file was 

run, it would infect other files in that 
decrypted and user wouldn't notice 
directory. One to three files would be 
anything. The problem with this virus 
infected on each run. After this Boza 


Was, 


that 

if 

it 

was 

cleared 

would run original program. Virus 
inappropriately, crypted files couldn't be 
would not be active in memory anymore. 
retrieved 

anymore[7]. 

Virus 

was 

showing message every 4th, 8th, 10th, 
14th, 18th, 20th, 24th, 28th and 30th 
every 

month 

under 

particular 

circumstances: 


Dis is one half. 


Press any key to continue ... 
Concept (WM.Concept) was first 
macro virus and it was detected in 1995. 


It was written in Microsoft Word macro 


language, and it was spreading by 
Boza virus message window 


sharing documents. It worked on PC 


computers and on Macintosh computers 
Boza was spreading quite slow, but also 
if on computer was installed Microsoft 
the spreading algorithm was fast enough 
Word. When document infected with 
that it could not be detected by user. 
Concept was opened on some PC, virus 
Boza had no destructive routines, but it 
would copy it's malicious template over 
has one error that caused that under 


some circumstances infected files could 
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raise to several megabytes. This was 
decryptor slowly. Maburg was deleting 
problem on machines which hard disks 
integrity database of several antivirus 
were just few tens on megabytes large. 
programmes. Also it was avoiding 
Virus had activation routine that showed 
infecting files that was belonging to 


message window on every 31st of any 


antivirus software and it was not 

month. Messages were: "The taste of 
infecting files containing V in name. 
fame just got tastier!" and "From the old 
This was done to prevent auto checking 
school to the new". 

of antivirus software. Maburg was 
Marburg (Win95/Marburg) is virus that 
activated 3 months after infection if 
started to circulate in August 1998., 
infected file was run at same hour as 
when it has infected master CD of 

hour of infection showing standard MS 
MGM/EA PC game called Wargames. 
Windows error icon (white cross in red 
Publisher MGM on 12th of August 
circle) all over the desktop[9]. 

1998. released apologies to users: 

From: 


“K.Egan 


(MGM)” 
<kegan@mgm.com> 
Subject: MGM WarGames Statement 


Date: Wed, 12 Aug 1998 18:03:39 -0700 


MGM Interactive recently learned that 
its WarGames PC game shipped with the 
Win32/Marburg.a virus contained in the 


electronic registration program. The 


Maburg 

company is working as fast as it can to 
Happy99 is first mail virus. It was 
resolve the problem ... MGM Interactive 
spreading as attachment of e-mail as 

is committed to delivering top quality 
executable and was detected in 1998. At 
products to consumers. This is an 


that time spam filters barely existed, and 


unfortunate 

circumstance 

and 

we 

was allowing sending of executables. If 
sincerely apologize for any convenience 
user clicked and run the attachment, it 
this has caused you. ... If you have any 
would show him screen with fireworks, 
questions or if you would like to receive 
but also virus would replicate attachment 
a replacement disc, please contact MGM 
and send mail to all user's contacts. 
Interactive. 

Melissa was virus that combined 

Same virus was on CD that covered 
techniques of macro virus and mail 
Austrian PC magazine Power Play in 
virus. It was coming with attached 


August 1998. 


infected MS Word file. If file was 
Maburg is polymorphic virus that 
opened it would replicate to randomly 
infected Win32 and SCR (screen saver) 
chosen document from user's hard disk 
files and encrypted it's code with 

and send it to all contacts. This was quite 
polymorphic 

variable 

layer 

of 

problematic because of information 
encryption. Polymorphic engine of virus 
leakage. Also virus was sometimes 

was quite advanced since it was 

adding quotes from The Simpsons to 
encrypting virus with 8,16 and 32 bit 
infected documents| 3]. 

keys and several different methods. 


LoveLetter was one of most successful 


Virus was using slow polymorphism, 
social engineering virus. It was using 
which means that it was changing it's 
premises of love, attracting user to open 
attachment. Attachment file would run 
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the virus. Virus was rewriting some 

But later security mechanisms was 
quite important files on victim's system. 
implemented and later worms had to use 
Using premises of love virus convicted 
exploits to gain access to computer on 
millions to open attachment, what 
network. 

caused financial damage of 5,5 billion 
Internet worms work in way that they 
dollars over the world. Anakurnikova 


have scanning algorithm that scans 


was similar virus that was sending 
network. In most cases it tries public or 
executable file, and convicting victims 
both public and private IP addresses. IP 
that there are sexy photos of Ana 
address could be unassigned, or it can be 
Kurnikova, sexy tennis player. Many 
assigned to device that could not be 
was convinced to open file, and even 
attacked (wrong platform) or patched 
when 

antivirus 

companies 

made 

and protected computer. In this cases 
detection and blocking of running 
worm would not attack. But if computer 
malicious 

attachment, 


many 


asked 

on IP address is running on right 
support of companies, how they can see 
unpatched platform, worm would use 
the pictures. 


exploit to gain access to that computer. 


After that it would add some payload, 
Worms 

that could trigger on some time or do 
At the end of 1980's accidently was 
some bad things to system. Then it 
created first PC worm. In 1988. Robert 
would again start scanning network and 
Tappan Moris, who was at that time 

try to propagate from that computer. 
student of MIT wrote a program that will 
Code Red is first internet worm that 

be big game change event in malware 


came after Morris worm and that did not 


history. As part of his project Morris 
needed any user interaction. Also Code 
wanted to count computers connected to 
Red is first intentionally written worm 
internet. So he wrote little program that 
(Morris 

worm 

was 

malicious 

by 

would replicate from one connected 
accident). Code Red was spreading in 
computer to another and count. But 
year 2000., and spread over the world in 
Morris made a bug, the worm was also 
couple of hours. It was successfully 
visiting computers that it has already 
hiding from defending mechanisms and 
visited before. Actually worm was 


had 


several 

capabilities 

that 

was 

replicating from infected computer to all 
triggered in cycles. It was attacking IIS 
other connected computers all the time. 
(Internet Information 

service) 

web 

This generated a lot of network traffic 
servers. First 19 days it only spread over 
and almost crushed internet of that time. 
the network using vulnerability in IIS. 
Because of this mistake Morris was 
From day 20 do day 27 it lunched denial 
arrested and convicted by Computer 

of service attacks on couple of websites 
Fraud and Abuse Act from 1986/10]. 


(ie. Whitehouse). Last 3-4 days of month 


This was also first case that someone 

it would just rest. 

was convicted by this law. At that time 
Nimda was discovered on September 
computers 

had 

open 

ports 

and 

18th 2001.. Nimda fast spread over the 
connections and replications could be 
world as internet worm. If Nimda letters 
done without use of exploits. In the 
switch position it would be admiN. 
beginning of internet no one really 
Nimda was quite similar to Code Red by 
thought about internet security. This 
scanning network and propagating, but it 
made easy for Morris to make his worm. 


had 


additional 

features. 

Scanning 
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algorithm of Nimda was scanning all IP 
infected machine, upload to it some 
addresses while Code Red was scanning 
additional tools or malwares. Backdoor 
just public IP range. Because of this 
was creating UDP socket with attacker. 
feature Nimda could go further infecting 
Actually it was listening on UDP port 
private networks[3]. Nimda also had 
2002 for attacker's connection. 

ability to change hosted website, so they 
In years 2003 and 2004 was discovered 
would offer download of infected files. 


3 most destructive internet worms that 


This way spreading of Nimda was even 
have introduced consideration in security 
faster and more dangerous, because with 
of real systems (factories, power plants, 
user interaction Nimda could overcome 
airports 

and 

other 

transportation 

firewalls and spread from that private 
systems) and virtual sabotage. 

computer hosts. It could spread to 
Slammer was internet worm that was 
Windows 95,98, Me, NT 4 and 
spreading in 2003. using vulnerability in 
Windows 2000. Nimda had one error 
Microsoft SQL Server and Microsoft 
because of which it was under some 
Data Engine 2000. Every application 


circumstances crushing and could not 


that used some of these two services was 

spread more. 

potential target and entrance point for 

Fizzer is mail worm from 2003. This 

Slammer. Some of applications that 

was not internet worm, but we will 

Slammer used to gain access to system 

describe it here, because of timeframe 

were: 

when it was found. Fizzer was first 

malware which only purpose was to 
Microsoft Biztalk Server 

generate revenue and money. It came in 
Microsoft Office XP Developer 

infected attachment, and was turning 

Edition 

infected machine in spam sender. 
Microsoft Project 

In this period changes the structure of 


Microsoft SharePoint Portal 


malware 

writers. 

Before 

Fuzzer, 

Server 

malware was written by enthusiasts that 
Microsoft Visio 2000 

would like to proof something or to 
Microsoft Visual FoxPro 

show up. From Fuzzer main focus on 
Microsoft Visual Studio.NET 

malware writers is gaining profit. After 
Microsoft .NET Framework 

Fuzzer many malware come that sent 

SDK 

spam or that blackmailed computer 
Compag Insight Manager 

users. Also malware writers were not 
Crystal Reports Enterprise 


mostly from developed countries like it 


Dell OpenManage 

was in 1980' and 1990’. Main sources of 
HP Openview Internet Services 

malware came on 2000' by people from 

Monitor 

third world countries, mainly Russia, 
McAfee Centralized Virus 

China, Pakistan, India etc. 

Admin 

Slammer was found on September 13th 
McAfee Epolicy Orchestrator 

2003., and brought some new things. It 
Trend Micro Damage Cleanup 

was 

internet 

worm 

that 

used 

Server 


vulnerability in OpenSSL and it is one of 


Websense Reporter 
first malwares that attacked Linux 
Veritas Backup Exec 
machines and Apache servers. It also 
WebBoard Conferencing 
had a backdoor, so attacker could use 
Server[11] 
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Slammer was spreading as an memory 
hospitals in Sweden was infected and 
process. It never wrote anything on hard 
could not run scanners, EU commission 
disk. So when PC would be restarted, 
was infected, Heathrow airport had 
infection would disappear. But since PC 
problems with this malware, as well as 
was connected to other PCs, from where 


UK Coastguard and several Banks 


it got infection, or where it replicated 
closed their offices for couple of days 
infection to, soon infection would be 
because of internal infection. 


back. Slammer was creating great 


network traffic, so many packages 

5. Rootkits and ransomware 

become lost. This way it caused great 
RootKits are malware tools that modify 
damage - for example ATM network of 
existing operating system software so 
Bank of America was down, 911 service 
that an attacker can keep access to and 
in Seattle was down for couple of days, 
hide on a machine. RootKits can operate 
flight control systems on couple of 

at two different levels, depending on 
airports were infected and some flight 


which software they replace or alter on 


were delayed. Also there was a problem 
the target system. They could alter 

in nuclear power plant in Ohio. 

existing binary executables or libraries 
Blaster was detected in August 2003. It 
on the system. In other words, a RootKit 
used buffer overflow vulnerability in 
could alter the very programs that users 
DCOM RPC (Distributed Component 
and administrators run (for example ls, 
Object Model Remote Procedure Call). 
cd, ps or other programs). We'll call such 
Blaster was used to create SYN flood to 
tools user-mode RootKits because they 
windowsupdate.com website, but since it 
manipulate these user-level operating 
was wrong website, real one was 

system 

elements. 


Alternatively, 


a 
windowsupdate.microsoft.com, it did not 
RootKit could go for the jugular, or in 
caused much damage to Microsoft. But 
our case, the centerpiece of the operating 
since it created traffic it did slow down 
system, the kernel itself. We'll call that 
and disable several systems like Air 

type of RootKit a kernel-mode RootKit 
Canada planes were landed, US train 

[3]. 

company CSX stopped etc. 

First RootKit ever made was made by 
Sasser in 2004 used buffer overflow in 
SONY Entertainment, and had quite bad 
Local Security Authority Subsistem 
impact on SONY's reputation. SONY 
Servis (LSAS). It spread over the 

BMG RootKit was born in year 2005, 


network and it was quite often crashing 


as idea of SONY to protect copyright of 
LSAS service, which caused restart in 
their publications. They had idea to 

one minute. When Microsoft released 
detect and disable coping of their 

patch it was quite large to download and 
publications using this RootKit to other 
install in less time than time malware 
media. Sony BMG RootKit was part of 
needed to crush LSAS service. This 

52 publications of Sony amongst them 
caused a lot of frustration for users, so 
albums by Ricky Martin and Kelly 
soon new model of automatic updates 
Minogue. When CD was inserted in 
was developed. Sasser caused Railcop 
normal CD player or discman nothing 
trains to stop in Australia, Delta airlines 
would happen. But when CD was 


problem and delays on British Airways 


inserted in PC, RootKit would be 

flights, 

Hong 

Kong 

government 

installed, hide itself and all files starting 

department of energy was infected, two 

with $sys$. Also it would control how 
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user accesses music. If user tries to copy 
Chinese/Russian missile shot 

RootKit would prevent it. Functionality 

down Russian/Chinese 

to hide all files starting with $sys$ used 

satellite/aircraft 

other malware writers to hide their files 
Saddam Husain safe and sound! 


on system calling malware files with 


Saddam Hussein alive! 

starting $sys$. When RootKit was 
Venezuelan leader: "Let's the 

detected, there was great scandal 

War beginning". 

because Thomas Hesse, Director of 
Fidel Castro dead. 

global sales in Sony BMG made 
If I Knew 

statement in which he said "Most people, 
FBI vs. Facebook 

I think, don't even know what a rootkit 

is, so why should they care about it?”. 

Infected machines were creating a botnet 

This caused heavy public reaction and 

network. 

But, 

since 

most 


botnet 


had bad impact on SONY image. This is 
networks are controlled by one central 
also shown as good example of bad 
server, 

this 

was 

not 

case 

with 

public relations. There was also a law 
StormWorm, which was acting more like 
suit which epilogue was that SONY 
peer-to-peer network, so controlling 
offered customers refund and free music 
node could change from host to host. 
downloads from website. 

StormWorm was installing also RootKit 
StormWorm was mail worm that came 
which it used to hide itself. Later 


7 years after LoveLetter, and same as 


variants, starting around July 2007, 
LoveLetter used social engineering to 
loaded the rootkit component by 
spread. It used fear and horror instead of 
patching existing Windows drivers such 
love, as LoveLetter did. StormWorm 
as tcpip.sys and cdrom.sys with a stub of 
start spreading using mail with subject 
code that loads the rootkit driver module 
"230 dead as storm batters Europe". 
without requiring it to have an entry in 
Also there was other manifestations as 
the Windows driver list. 
time passes, so some of the subjects of 
Mebroot from 2008 brought one new 
StromWorm were: 
thing that changed the game - victim 
could be infected just by surfing internet 
A killer at 11, he's free at 21 and 


from browser. It used exploit in browser 


kill again! 

to gain access to system, and one of the 
U.S. Secretary of State 

first websites used to spread this 

Condoleezza Rice has kicked 

malware was official website of Monica 

German Chancellor Angela 

Belluci. When Mebroot gained access to 

Merkel 

victims PC it would install rootkit that 
British Muslims Genocide 

could hide him from RootKit detectors, 
Naked teens attack home 

which become part of many antivirus 

director. 

solutions. Mebroot was spying what 
230 dead as storm batters 

victim was typing and it was sending 

Europe. 


this data to attacker. Also this malware 


Re: Your text 
was quite good debugged, so it almost 
Radical Muslim drinking 
never caused crashes of system. Even if 
enemies's blood. 
it caused crash, it could collect and send 
traces to attacker so he can debug and fix 
Computer security 
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the problem. Doing this it was the most 
transfer SWIFT/IBAN). And 
advanced malware at that time. 
remember: any harmful or bad 
words to our side will be a 
Conficer is one of the greatest mysteries 
reason for ingoring your message 
in malware history. The intention of 
and nothing will be done. 


malware creator was not found. It used 


vulnerability in windows and cracking 
For details you have to send 

weak passwords for spreading. It would 
your request on this e-mail 

(attach to message a full serial 

install backdoor, rootkit and created a 
key shown below in this 'how 

botnet node on infect machine. It had 
to..' file on desktop): [email 

infected about 10 millions of host. Great 
address] 

mystery is that it had very complex 
botnet network that was never used for 
Files that were crypted on disk had 

any attack. 

extensions: .jpg, .jpeg, .psd, .cdr, .dwg, 
Interesting ransomware is malware that 
.Max, .mov, .m2v, .3gp, .doc, .docx, .xls, 
had crypted victims hard disk, changed 


.xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, 


desktop background with message and 
.cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, 
demanded 120$ for decryption key. 

.avi, .flv, .Ink, .bmp, .1cd, .md, .mdf, 
Interesting thing was that attackers were 
.dbf, .mdb, .odt, .vob, .ifo, mpeg, .mpg, 
giving away keys if they were paid. For 
.doc, .docx, .xls, and .xlsx.. 


spreading it used browser vulnerability 


and infected PDF files with script that 

6. 

Virtual 

sabotage 

and 

downloads and installs this malware. It 
espionage 

would change desktop background and 
In year 2010., one big step in malware 


place on desktop how-to-decrypt.txt file 


evolution happened. Malware is no more 
in which was this text: 

seen just like thread for businesses, 
personal finances or files. Military, 
Attention!!! 

police forces and secret agencies of 

All your personal files (photo, 

several countries got involved 

in 

documents, texts, databases, 

malware creation. Malware is now seen 
certificates, kwm-files, video) 

similar as any other weapon. US 

have been encrypted by a very 
government declared that any US army 
strong cypher RSA-1024. The 

original files are deleted. You 

keeps right to respond to cyber attack 
can check this by yourself - 


with physical attack. Dropping bombs 


just look for files in all 

and cyber attacks using malware are 
folders. 

seen as equal things. Also, malware 
become capable of doing almost same 
There is no possibility to 

damage as bomb, but without risking 
decrypt these files without a 

special decrypt program! Nobody 
human lives. The best example for that is 
can help you - even don't try to 
malware called Stuxnet, which was 
find another method or tell 
discovered in summer 2010. 


anybody. Also after n days all 


encrypted files will be 
Stuxnet is a first so called super 
completely deleted and you will 


have no chance to get it back. 


malware, found in June 2010., but when 
it was found it is realized that it was 

We can help to solve this task 

spreading undetected for about a year. 
for 120$ via wire transfer (bank 

When Stuxnet was detected it has 
Computer security 
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already done what it was built for. It is 
DoQu are also in correlation in many 
believed that Stuxnet was created to 
sources. DoQu used same exploits as 
destroy or at least slower down Iranian 
Stuxnet, but it has different purpose. It 
nuclear program. Stuxnet physically 
had purpose to gather information about 
sabotaged 

turbines 


for 


uranium 

victims, in other words its purpose was 
enrichment 

by 

changing 

rotation 

to spy infected PCs. DoQu was written 
frequencies. This was done in way that 
in higher programming languages, which 
was not seen before. Stuxnet was 

is unusual for malware, because most of 
spreading over the USB stick, where 
malware is written either in assembler, C 
turned off auto run or auto play option 
or eventually in C++, or in some of 
would not help. If USB stick was 
scripting languages as Python or Lua. 
inserted in infected PC it would be 
DoQu was written in object oriented C, 


infected and if infected USB was 


and it is believed that is was compiled 
inserted in PC, PC would be infected. 
using Microsoft Visual Studio 2008. 

No anti-virus was able to detect it. 
Flame is the most complex malware that 
Stuxnet used rootkit to hide itself on 
have been seen. It was found in 2012. 
infected machine and it would do 

and most of computers was infected in 
nothing else but replicating to other 
Near and Middle East. It is also believed 
inserted USB sticks. For gaining control 
that was created by Israel and US secret 
over the PC it used 5 exploits from 
services and military. This is modular 
which 4 was on the day when Stuxnet 
malware, that can be controlled by 

was first detected 0-day exploits. It 
attacker and he can add new modules 


would activate it's routines just in case it 


remotely. With all its modules it can be 
PC was attached to particular Siemens 
20MB large. Flame could spread over 
Step 7 controller, and the PC would be 
the USB port or by network. It used 
used for programming of controller. 
rootkit capability to hide itself on 

Even in that case it would not do 
infected system. It had capability to 
anything, if the controller is not attached 
record audio, video, skype calls, network 
to particular industrial system. In that 
activity, to steal files from hard disk and 
case it would changes frequencies of 
send to attacker. In the moment when 
rotation system, and it would also 
antivirus companies gathered sample of 
reprogram tools for automatic response, 
Flame for analysis, Flame was destroyed 


so it would look for them as the system 


remotely by attacker who send kill 
works correctly. Stuxnet contained valid 
command, which destroyed all the 
certificate, and when it was blacklisted 
instances of Flame malware. Flame is 
in one day period it changed its 

written in Lua and C++, and as Stuxnet 
certificate. It had death date set on June 
and DoQu it had valid stolen certificate. 


24th 2012., when all instances of Stuxnet 


would kill itself. It is believed that this 
7. Conclusion 

malware was created by secret services 
It has passed more than 25 years since 
of USA and Israel. None of these 

first malware for PC came out. Malware 
countries confute or confirmed this[12]. 
evolved, but some of the principles 


DoQu is malware which had similar 


remained the same. First malware 

code base as Stuxnet. It is believed that 
Brain.A spread over floppy disks, 
Stuxnet and DoQu have same origin and 
Stuxnet - one of the most complex 

same authors. Operation Stuxnet and 
malware - spread over the USB drives. 
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Purposes and motives for malware 

[6] Virus creation laboratory 

creation changed from exibitionism, 
documentation, Internet, 

over revenge and profit to espionage and 
http://www.textfiles.com/virus/DO 
sabotage. Profit is still great motivator 
CUMENTATION/vcL. txt 

for malware creation, and it will 


[7] One_half, ESET Threat 


continue to be in future. Military 
enciclopedia, Internet 

purposes such as espionage and sabotage 
http://go.eset.com/us/threat- 

were proven as success for malware 
center/encyclopedia/threats/onehal 
creators. We can expect more of military 
f/ 

malware and cyber warfare in future, 
since it is quite safe for attackers and can 
[8] Concept.A, FSecure Threat 

cause same damage as military attacks 
description, Internet, http://www.f- 

with all its fire power. It has to be seen 
secure.com/v-descs/concept.shtml 

how antivirus companies would deal 

[9] Maburg, FSecure Threat 

with this kind of attackers with almost 
descripotion, Interner, 


limitless resources for malware creation 


http://www.f-secure.com/v- 
on one field and profit wanting malware 


descs/marburg shtml 


creators on the other field. Still we might 
see some other purpose of malware 

[10] Dressler, J. (2007). "United States v. 
creation in future in some game 

Morris". Cases and Materials on 
Criminal Law. St. Paul, MN: 

changing event such was Stuxnet when 
Thomson/West 

we are talking about military use of 
malware. 


[11] Slammer, FSecure Threat description, 


Internet, http://www.f-secure.com/Vv- 
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Does your phone have a virus? 
Can iPhones even get viruses? 
Discover how to scan and 
remove mobile malware from 
your Android or iPhone, get rid 
of malicious apps, and banish 
annoying pop-ups. Learn about 
the biggest risks to your phone 


and install our free anti- 


malware mobile app to start 


defending yourself from threats 


today. 
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How do you know if your phone has a virus? It doesn’t — there’s no such 
thing as viruses on Android or iPhone viruses. But phones can definitely get 
other forms of malware. If your phone is showing the typical symptoms of a 


malware infection, learn to get rid of malware manually or use a virus 
removal tool — or an anti-malware scanner — to clean it up automatically. 


Read on for Android virus removal tips, or skip down to learn how to 
remove an iPhone virus 


Then, find out how to use a malware cleaner to remove malicious apps and 
run a phone viru scan. If you’re dealing with a virus or malware on your PC 
or Mac, don’t miss our expert guid to removing malware from your 
computer. 
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How to remove a virus from an Android phone 


1. Clear your cache and downloads. 


Open your Settings, go to Apps & notifications, and select Chrome. In the 
Storage & menu, follow the steps to clear your cache and storage. 


2. Restart your Android device in safe mode. 


Press and hold the power button, then choose to restart your phone in safe 
mode. Yo Safe Mode in the corner of your screen after your phone reboots. 


Reboot to safe mode 


Do you want to reboot into safe mode? This 
will disable all third party applications you 


have installed, They will be restored when 
you reboot again. 
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3. Find and remove malicious apps. 


Open your Settings and tap Apps & notifications. Then tap See all apps. 
On the next select Installed apps in the drop-down menu. Review your 
installed apps and look fo that are suspicious or unfamiliar, then uninstall 
them. Restart your phone when you’r 4. Activate Google Play Protect. 


Play Protect 


No harmful apps found 


Manage your Google Account 


=] Manage apps & device 
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3 - Payments & subscriptions 


Recently scanned apps 
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QO Offers & notifications 
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3 Settings 


The Play Protect feature in the Google Play Store monitors your apps for 
unusual be that can indicate the presence of Android malware. Open the Play 
Store app, tap you or avatar on the top right, and activate Play Protect in the 
menu. 


5. Install anti-malware software. 

An antivirus app is the best way to automatically detect and remove malware 
from y Android phone while preventing future infections. Install AVG 
AntiVirus for Android t your Android malware-free in real time. 


Install free AVG AntiVirus 


Get it for PC, iOS, Mac 


The infographic below shows the steps you need to take to clear malware 
from your phone. 
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Wan) 01 Clear your cache and downloads 
f Android adware can hide in your browser. 


02 Restart in safe mode 


Safe mode prevents malicious apps 
and other malware from running. 


_. \ 03 Find and remove malicious apps 
tn] Get rid of suspicious apps 


to get rid of malware. 


04 Activate Google Play Protect SS 


Google can detect malicious 
behavior in Android apps. 


An antivirus will remove malware 
and prevent it in the future. 
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02 Restart in safe mode 


Safe mode prevents malicious apps 
and other malware from running. 
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to get rid of malware. 


04 Activate Google Play Protect S 


Google can detect malicious 
behavior in Android apps. 


An antivirus will remove malware 
and prevent it in the future. 


=] 05 Install anti-malware software 
=f 


UF ave. 


Reset options 
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Erase all data (factory reset) 


Reset Wi-Fi, mobile & Bluetooth 
Reset app preferences 


Erase all data (factory reset) 


6 Digital Wellbeing & parental controls 


(G) Google 
System 

@ About phone 

© Tips & support 


<4 


Last resort: wipe your Android 


If the steps above don’t work, try resetting your phone to its factory default 
settings. But this is a last resort — so before resetting your phone, try_using 
an Android virus removal app 


instead. Otherwise, here’s how to factory reset your Android: 
1. Reset your phone. 


Open up your Settings, select System, then tap Reset options. Choose 
Erase all data (factory reset) and then tap Erase all data. Confirm via the 
pop-up and restart your p 2. Restore your phone. 


If you have a backup available, you can restore your phone to get your data 
back. Yo to restore from a backup from before your phone started acting 
strangely, otherwise risk installing the Android malware again. 


How to remove a virus from an iPhone 


A lot of apparent iPhone malware is actually caused by hackers 
manipulating your browser. 


So clearing your browsing history and data should resolve iPhone virus 
issues. If not, try restarting your phone, updating iOS, restoring your phone 


to a previous backup, or performin a factory reset. 


Check out our infographic for the steps you need to take to remove iPhone 
malware, or skip down to see the steps explained in more detail. 


How to remove a virus from an 


iPhone 


01 Clear browsing history and data 


i Remove browser-based malware 


by resetting your browser. 


02 Restart your phone 


Sometimes you just need a quick reset. 


03 Update to the newest iOS 
Updating to the latest OS will help fix 
security issues. 


04 Restore to a backup 


Go back to before your problems started. 


05 Factory reset your phone 
Or If nothing is working, a factory reset 


can make your phone like new. 


Protect your phone from future 
digital threats. 
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How to remove a virus from an 


iPhone 


01 Clear browsing history and data 


i Remove browser-based malware 


by resetting your browser. 


02 Restart your phone 


Sometimes you just need a quick reset. 


03 Update to the newest iOS 
Updating to the latest OS will help fix 
security issues. 


04 Restore to a backup 


Go back to before your problems started. 


05 Factory reset your phone 
Or If nothing is working, a factory reset 


can make your phone like new. 


Protect your phone from future 
digital threats. 
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If you think your iPhone has a virus, here are a few ways to fix it: 1. Clear 
browsing history and data. 


Go to Settings and scroll down to the Safari tab. Then tap Clear History 
and Website Repeat this process for any other browsers you use. 


2. Restart your phone. 


Hold the power button, turn your phone off, then turn it back on. 


3. Update iOS. 


Go to Settings > General > Software Update. If you see a software update, 
install it. 


4. Restore your iPhone to a previous backup. 


Go to Settings > General > Reset, then choose Erase All Content and 
Settings. Follo prompts to restore your iPhone from a backup. Choose a 
backup you created from b your phone began acting strangely. 
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5. Factory-reset your iPhone 

If your iPhone is still acting up, go to Settings > General > Reset, then 
choose Erase Content and Settings. Choose to reset your phone, rather 
than restore from a previo iCloud backup. 


. Install an iOS security app. 


app. AV 


Mobile Security for iPhone and iPad will make sure your passwords stay 
safe, your W 


network is secure, and your private photos stay private, even if your phone 
falls into t wrong hands. 


It’s easy to secure your Wi-Fi and protect your personal files with AVG 
Mobile Security. 


Take your security up a level. Install AVG Mobile Security for iOS and start 
enjoying free, comprehensive protection for your iPhone or iPad today. 


Install free AVG Mobile Security 
Get it for PC, Android, Mac 
How do I know if my phone has a virus? 


Unusual behavior and unfamiliar apps are the two biggest warming signs of 
phone viruses an other malware. These signs will tell you if your iPhone or 
Android device has a phone virus. 


Adware pop-ups: Most ads can easily be blocked by using an ad blocker or 
with a pri 


optimized browser like AVG Secure Browser, which comes with a built-in 
ad blocker. 


If you’re seeing pop-up ads on your Android or iPhone even when your 
browser is clos could have_ adware, which is a type of malware that spams 
you with extra ads. 


Excessive app crashing: Many apps crash periodically, but if your apps 
start crashing regularly for seemingly no reason, your phone could be 
infected with malware. 


Increased data usage: If you notice a sudden spike in data usage, that could 
be a sig malware is running background tasks on your device or transmitting 


to help control your mob 

usage. 

Unexplained phone bill increases: Some malware strains attack by sending 
premium SMS messages from your phone, causing your phone bill to 


skyrocket. Ztorg Trojans 


found doing this in 2017, in addition to deleting incoming messages. 


Your friends receive spam messages: Some malicious software can hijack 
your mes service and spam all your contacts with infected links. If your 
contacts tell you they r a weird message from your accounts, investigate 
right away. 


Unfamiliar apps: If you notice an app on your phone that you don’t recall 
downloading away. Fake apps are a common symptom of malware on 
Android phones, and they s be uninstalled immediately. An anti-malware 
phone scanner will take care of this in a quick taps. 


Faster battery drain: Malware mischief can use up a lot of energy, rapidly 
depleting y Android or iPhone battery. If your battery is dying faster than 
usual, malware might be cause. 


Overheating: While the majority of the reasons your phone is overheating 
are normal relatively harmless, it’s also possible that the cause is a malware 
infection. 


Can Android phones get viruses? 


No, Android phones can’t get viruses. But Android devices are vulnerable to 
other types of malware that can cause even more chaos on your phone. From 
malicious adware to spying 


One of the reasons Android phones are susceptible to malware is because 
Android struggle 


security fixes to bug 


or other vulnerabilities found in the operating system (OS). 


Sourcing apps from third-party sources also increases the risk of accidentally 
installing malware. Android’s open-source system and delayed rollout of 
updates are two major reasons why you should always use a strong antivirus 
solution for Android as an added laye of protection. 


Can iPhones get viruses? 


iPhones can’t get viruses, because iPhone viruses don’t exist. But while 
iPhones are less vulnerable to malware than Androids, there are other 
security threats you should watch out for. Phishing attacks and unsafe Wi-Fi 
networks are just two of the various threats that can affect your iPhone or 
iPad. 


iPhone viruses don’t exist (yet), but there are other threats to watch out for. 


Jailbreaking your iPhone — when you remove Apple’s built-in user 
restrictions — makes it jus as vulnerable to malware as an Android device. 
So if you jailbreak your phone, it’s important to learn how to do a virus scan 
for your iPhone. But even without jailbreaking your phone, iPhone users are 
still vulnerable to other serious security threats — like identity theft. 


A well-known 2021 iPhone hack installed spyware known as Pegasus that 
can steal tons of personal data and turn your phone into a permanent 
surveillance device. Using a security 


exploit to leverage a vulnerability in iMessage, Pegasus bypasses iOS 14’s 
built-in security 


measures intended to prevent this tactic. The hack was created by Israel’s 
NSO Group, one o the world’s best hacking groups. 


That’s why we strongly recommend using a robust mobile protection app for 
iPhones and iPads. Avast Mobile Security for iOS goes way beyond 
antivirus or malware protection, keeping you safe every time you go online 
with free, innovative tools specially designed for your iPhone and iPad. 


What can viruses do to your phone? 


Increase your data usage and rack up unexpected charges by sending spam 
or prem SMS messages, or subscribing you to unauthorized or premium apps 
or services. 


Spam you with ads that generate revenue for the attacker. 
Install rootkits that give hackers a “backdoor” to your phone. 
Record phone conversations and send them to hackers. 


Collect personal information, including your GPS location, contact lists, 
photos, emai address, or banking details. 


Record your login credentials, including your passwords. 
Take over your device through rooting. 


Infect you with ransomware, locking you out of your files. 


Before you install a new app, check if it’s safe. Read both user and 
professional reviews to learn what other people think. Some apps might be 
clean when you download them, but late get infected with malware through 
updates — so it’s important to stay alert. 


How to protect against phone viruses 


Download apps from trusted sources. Google and Apple both vet apps for 
security b allowing them into their stores. Avoid third-party app stores, and 


don’t jailbreak your i or root your Android phone. 


Check apps for safety. Malicious apps occasionally find their way onto the 
official ap stores, despite their security precautions. You should always 
check apps for safety b 


downloading them. Review the developer profile, read user reviews, and 
check the do count. Be extra careful when downloading anything brand-new, 
and don’t download fr questionable developers. 


Research before you install. User reviews are great, but you can also see 
what the pr to say. Consult expert reviews and independent evaluations of 
any new app before pu on your phone. 


Keep your phone updated. Software providers often issue updates to fix 
bugs and plu security holes. Always update your phone’s operating system 
and apps with the lates versions. 


Don’t click suspicious links. Suspicious links in emails, text messages, or 
on social m can contain malware. Don’t click on any links you don’t expect 
to be there. 


Be careful on public Wi-Fi. Unsecured public Wi-Fi networks make it easy 
for hackers intercept your traffic. Avoid doing anything sensitive on public 
Wi-Fi unless you’re usi 


VPN. 


Use cybersecurity protection. Whether you have an Android or iPhone, a 
security app help protect you against malware, phishing, and other mobile 
threats. 


Protect your phone or tablet the easy way 
We use our smartphones constantly. And they hold intimate details about our 


life. Don’t let hackers in — build strong walls around your smartphone 
castle with a robust security and privacy app. 


With AVG’s cybersecurity protection, you can prevent adware, spyware, 
phishing, unsafe Wi-F 


networks, and a host of other mobile threats. Download AVG AntiVirus for 
Android or AVG 


Mobile Security for iPhone and iPad today for the free protection that 
millions of people all 


around the world trust every day. 
Install free AVG AntiVirus 

Get it for PC, iOS, Mac 

FAQs 

What is a virus? 


Viruses are a type of malware designed to infect computer systems and use 
the resources o their host machine to self-replicate and spread to other 
devices. Viruses were one of the firs 


computer threats to emerge, and despite the rapid growth of other forms of 
malware in rece 


years, hackers continue to develop new viruses to exploit vulnerabilities in 
computer system 


How can I scan my phone for viruses? 


Use AVG Antivirus for Android or another dedicated malware and virus 
removal tool to scan your device from top to bottom, find and remove all 
kinds of malware threats (including adware, spyware, and Trojans), and stop 
malware from infecting your device again. 


Can my phone get a virus from a website? 


The chance of a website infecting your mobile device with a virus is low, but 
it is possible. 


And without a top Android or iPhone security app, other forms of malware 
designed to targe specific security exploits pose a real threat. To browse 
securely, protect your device with a mobile security app and always follow 
website safety guidelines. 


Does Google or Apple send virus warnings? 


Neither Apple nor Google send virus warnings. If you receive spoofed 
notifications, emails, o other virus warnings supposedly from Apple or 
Google, these are scareware tactics designe 


to use social engineering to manipulate you into inadvertently downloading 
malware, revealing personal information, or handing over your money. 


Can hackers see through my phone camera? 


Certain types of spyware and other malicious software tools can let hackers 
access your phone camera and other parts of the device — potentially letting 
them spy on you in real tim Protect yourself with a dedicated anti-spyware 
tool, and avoid falling prey to snoops by browsing safely on public Wi-Fi 
networks. 


Does resetting a phone remove viruses and other malware? 


Simply restarting your phone won’t wipe malware from your device, but 
restoring your device to its factory settings probably will. If you’re going to 
factory reset your device, back up your data to avoid losing it all. If you 
restore your phone from a backup, previously infected files could continue to 
infect your restored device. Use a malware and virus removal tool and clea 


get rid of any 


lingering harmful internet files. 
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How to easily clean an infected computer 
(Malware Removal Guide) 


Malware, short for malicious (or malevolent) software, is software used or 
programmed by attackers to disrupt computer operation, gather sensitive 
information, or gain access to private computer systems. It can appear in the 
form of code, scripts, active content, and other software. 


‘Malware’ is a general term used to refer to a variety of forms of hostile or 
intrusive software. 


Malware includes computer viruses, ramsomware, worms, trojan horses, 
rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue 


security software and other malicious programs; the majority of active 
malware threats are usually worms or trojans rather than viruses. 


It’s not always easy to tell if your computer was compromised or 
not,because these days cybercriminals are going to great lengths to hide their 
code and conceal what their programs are doing on an infected computer. 


It’s very difficult to provide a list of characteristic symptoms of a infected 
computer because the same symptoms can also be caused by hardware 
incompatibilities or system instability,however here are just a few examples 
that may suggest that your PC has been compromised: You may receive 
the error “Internet Explorer could not display the page” when attempting to 
access certain websites Your web browser (e.g., Microsoft Internet 
Explorer, Mozilla Firefox, Google Chrome) freezes, hangs or is 
unresponsive Your web browser’s default homepage is changed 


Access to security related websites is blocked 


You get redirected to web pages other than the one you intended to go to 
You receive numerous web-browser popup messages 


Strange or unexpected toolbars appear at the top of your web browser 
Your computer runs slower than usual 

Your computer freezes, hangs or is unresponsive 

There are new icons on your desktop that you do not recognize 


Your computer restarts by itself (but not a restart caused by Windows 
Updates) You see unusual error messages (e.g., messages saying there are 
missing or corrupt files folders) You are unable to access the Control Panel, 
Task Manager, Registry Editor or Command Prompt. 


This article is a comprehensive guide, which will remove most of malware 
infections that may reside on your computer. And if you are experiencing 
any of the above symptoms, then we strongly advise you follow this guide to 
check and remove any infection that you might have on your computer. 


How to remove viruses, ransomware, worms, trojan horses, rootkits, 
keyloggers, dialers, spyware, adware, malicious BHOs, rogue security 
software and other malicious 


programs 


OPTIONAL: Some forms of malware will not allow you to start some of 
the below utilites and on-demand scanners, while running Windows in 
Normal mode. If this happens, we recommend that you start your computer 
in Start your computer in Safe Mode with Networking, and try from there to 
perform the scan. 


We recommend that you first try to run the below scans while your computer 
is in Normal mode, and only if you are experiencing issues, should you try to 
start the computer in Safe Mode with Networking. 


To start your computer Start your computer in Safe Mode with Networking, 
you can follow the below steps: 1. Remove all floppy disks, CDs, and DVDs 
from your computer, and then restart your computer. 


2. If you are using Windows XP, Vista or 7 press and hold the F8 key as 
your computer restarts.Please keep in mind that you need to press the F8 
key before the Windows start-up logo appears. 


Note: With some computers, if you press and hold a key as the computer is 
booting you will get a stuck key message. If this occurs, instead of pressing 
and holding the “F8 key”, tap the “F8 key” continuously until you get the 
Advanced Boot Options screen.If you are using Windows 8, press the 
Windows key + C, and then click Settings. Click Power, hold down Shift 
on your keyboard and click Restart, then click on Troubleshoot and select 
Advanced options. 


3. In the Advanced Options screen, select Startup Settings, then click on 
Restart. 


4. If you are using Windows XP, Vista or 7 in the Advanced Boot Options 
screen, use the arrow keys to highlight Safe Mode with Networking , and 
then press ENTER. 


indows Advanced Options Menu 
lease select an option: 


Safe Mode 
Safe Mode with Networking 
Safe Mode with Command Prompt 


Enable Boot Logging 

Enable VGA Mode 

Last Known Good Configuration (your most recent settings 
Directory Services Restore Mode (Windows domain controll 
Debugging Mode 

Disable automatic restart on system failure 


Start Windows Normally 
Reboot 


se the up and down arrow keys to move the highlight to your 


\ 


If you are using Windows 8, press 5 on your keyboard to Enable Safe 
Mode with Networking. 


Windows will start in Safe Mode with Networking. 


STEP 1: Remove bootkits and trojans with Combofix 


In this first step, we will run a system scan with Combofix to remove any 
malicious software that might be installed on your system. 


1. Download Combofix from any of the below links. 


COMBOFIX DOWNLOAD LINK #1 (This link will automatically 
download Combofix on your computer) COMBOFIX DOWNLOAD LINK 
#2 (This link will automatically download Combofix on your computer) 2. 
Before running this utility ,please follow the below instructions: 0 Close any 
open browsers. 


o Temporarily disable your anti-virus, script blocking and any anti- 
malware real-time protection before performing a scan. They can interfere 


with ComboFix or remove some of its embedded files which may cause 
“unpredictable results” . 


o Combofix will disconnect your machine from the Internet as soon as it 
starts Please do not attempt to re-connect your machine back to the Internet 
until Combofix has completely finished. 


If there is no internet connection after running Combofix, then restart your 
computer to restore back your connection. 


3. To start the Combofix scan, double-click on ComboFix.exe and then 
follow the prompts. 


You can watch the below video to see how to use Combofix: 


Other important notes: 


Open 


@) \ Run as administrator 


iExplore.exe) Ws. 


o DO NOT mouse-click Combofix’s window while it is running. That may 
cause it to stall. 


o If after the reboot you get errors about programs being marked for deletion 
then reboot, that will cure it. 


STEP 2: Run RKill to terminate any malicious processe 


RKill is a program that will attempt to terminate all malicious processes that 
are running on your machine, so that we will be able to perform the next step 
without being interrupted by this malicious software. 


Because this utility will only stops the running process, and does not delete 
any files, after running it you should not reboot your computer as any 
malware processes that are configured to start automatically will just be 
started again. 


1. Please download the latest official version of RKill. Please note that we 
will use a renamed version of RKILL so that malicious software won’t block 
this utility from running. 


RKILL DOWNLOAD LINK (This link will automatically download 
RKILL renamed as iExplore.exe) 2. Double click on iExplore.exe to start 
RKill and stop any processes associated with Luhe.Sirefef.A. 


3. RKill will now start working in the background, please be patient while 
the program looks for any malicious process and tries to end them. 


person helping you. 
' 


asleclaabaisid, 


4. When the Rkill utility has completed its task, it will generate a log. Do 
not reboot your computer after running RKill as the malware programs will 
Start again. 


STEP 3: Remove Trojan Horses, rogue security software 
and other malicious files from your computer with 
Malwarebytes Anti-Malware Free 


Malwarebytes Anti-Malware Free uses industry-leading technology to detect 
and remove all traces of malware, including worms, Trojans, rootkits, 
rogues, dialers, spyware, and more. 


It is important to note that Malwarebytes Anti-Malware works well and 
should run alongside antivirus software without conflicts. 


1. You can download download Malwarebytes Anti-Malware from the 
below link. 


MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link 
will open a new web page from where you can download Malwarebytes Anti- 
Malware Free) 2. Once downloaded, close all programs, then double-click 
on the icon on your desktop named “mbam-setup-consumer-2.00.xx” to start 
the installation of Malwarebytes Anti-Malware. 


You may be presented with a User Account Control dialog asking you if you 
want to run this file. If this happens, you should click “Yes” to continue with 
the installation. 


3. When the installation begins, you will see the Malwarebytes Anti- 
Malware Setup Wizard which will guide you through the installation process. 


Welcome to the Malwarebytes 
Anti-Malware Setup Wizard 


This will install Malwarebytes Anti-Malware version 
2.00.0.0504 on your computer. 


It is recommended that you close all other applications and 
> temporarily disable your antivirus and firewall before 
continuing. 


Click Next to continue, or Cancel to exit Setup. 


To install Malwarebytes Anti-Malware on your machine, keep following the 
prompts by 


Completing the Malwarebytes 
Anti-Malware Setup Wizard 


Setup has finished installing Malwarebytes Anti-Malware on 
your computer. The application may be launched by selecting 
the installed icons. 


Click Finish to exit Setup. 


Enable free trial of Malwarebytes Anti-Malware Premium 
Launch Malwarebytes Anti-Malware 


clicking the “Next” button. 


4. Once installed, Malwarebytes Anti-Malware will automatically start and 
you will see a message stating that you should update the program, and that 
a scan has never been run on your system. To start a system scan you can 
click on the “Fix Now” button. 


 Mabhvarebytes Anb-Matware Trel 


Database Version A ¥2013.06.10.06 


Scan Progress W Next scheduled scan: 2/28/2014 3:32 


Real-Time Protection: «/ Makvare and Malicious Website Protection enabled 


day. Learn More 


Alternatively, you can click on the “Scan” tab and select “Threat Scan“, then 
click on the 


Oem 


a | Threat Scan 


comoreeneve sca 


Ph 


4 Hyper Scan oe _ 


“Scan Now” button. 


“G) Matwarebytes Anti-Malware (Trial) 2.00.0.050. 


Malwarebytes 
ww 


w™, Updates are available 
= ng der to detect and Quarantine the most recent threats it’s recommended to per‘or 


A Updates are available. Click ‘Update Now' to download updates. 


Cancel Scan Skip Update 


5. Malwarebytes Anti-Malware will now check for updates, and if there are 
any, you will need to click on the “Update Now” button. 


Cancel Scan 


Detected Objects: 36 


© Filesystem Objects: Working 


Tme Blapsec 


Currey Scanning: C;\WINDOWS'SYSTEM32\netevent 


(?) Maiware cant dodge Malwarebytes Chameleon 
Learn more » 


6. Malwarebytes Anti-Malware will now start scanning your computer for 
the pop-up virus. 


When Malwarebytes Anti-Malware is scanning it will look like the image 
below. 


7. When the scan has completed, you will now be presented with a screen 
showing you the malware infections that Malwarebytes’ Anti-Malware has 
detected. To remove the malicious programs that Malwarebytes Anti- 
malware has found, click on the “Quarantine All’ button, and then click on 
the “Apply Now” button. 


be 9 Potential Threats Detected! 


Export log w Copy to Clipboard 


x) Choose an action for the detected items! 


Detected Item Type Acton 
Quarantine 
Quarantine 
Quarantine 
Querentine 
Quarantine 
Quarantine 
On aeartine 7-\ leare\MahwarsTine innate IR naeninn \Tnctallikcemd ave 


Quarantine All Cancel 


Please note that the infections found may be different than what is shown in 
the image. 


8. Malwarebytes Anti-Malware will now quarantine all the malicious files 
and registry keys that it has found. When removing the files, Malwarebytes 
Anti-Malware may require a reboot in order to remove some of them. If it 
displays a message stating that it needs to reboot your computer, please 
allow it to do so. 


Bey Potential Threats Detected! 


Export log w~ Copy to Clipboard 


cy Finished Cleaning items, View the log for more detaiis. 


Detected {ter Type Acton 
&* Malwarebytes Anti-Malware 
| 


All selected iterns have been removed successfully. A tog fille has been saved to 
the logs folder. 


Your computer needs to be restarted to complete the removal process. 
Would you like to restart now? 


Main Menu 


After your computer will restart, you should open Malwarebytes Anti- 
Malware and perform another “Threat Scan” scan to verify that there are no 
remaining threats STEP 4: Remove stubborn rootkits from your 
computer with HitmanPro 


HitmanPro is a second opinion scanner, designed to rescue your computer 
from malware (viruses, trojans, rootkits, etc.) that have infected your 
computer despite all the security measures you have taken (such as anti virus 
software, firewalls, etc.). HitmanPro is designed to work alongside existing 
security programs without any conflicts. It scans the computer quickly (less 
than 5 minutes) and does not slow down the computer. 


1. You can download HitmanPro from the below link: 


HITMANPRO DOWNLOAD LINK (This link will open a new web page 
from where you can download HitmanPro) 2. Double-click on the file named 
“HitmanPro.exe” (for 32-bit versions of Windows) or 


“HitmanPro_x64.exe” (for 64-bit versions of Windows). When the program 
starts you will be presented with the start screen as shown below. 


f HitmanPro 3.7.9 - Build 212 (64-bit) 


~ HitmanPro 


second opinion anti-malware 


lOrensics [ ased Cl yt } ssistec 


heck yo mouter for ait torr f malcn 


oOtits, WOTTTs pyware, tere software and © 


Click Next to scan for malicious software 


Click on the “Next” button, to install HitmanPro on your computer. 


Would you like to store a copy of the HitmanPro program file on this computer? 
@ Yes, create a copy of HitmanPre so I can regularly scan this computer (recommended) 


{V) Create @ shortcut on the desktop 
[V) Create shortcuts in the Start menu 


© No, Lonly want to perform 2 one-time scan to check this computer 


Se ee 
enhancements to my online security 


fiv_en_l.exe  Riskware Quarantine + + 
© \Users\Mabwarelips\Desktop 


LocalHWUntwhaOX.exe ® Trojan Delete + 


C:\Users\MabwareTips\Downloads \xalwdx 


LocaltciyFNkbjT.exe & Malware Quarantine + 
C:\Users\MabwareTips\Do 

fiv_en_l.exe @ Riskware Quarantine + 
C:\Users\MabwareTips\Do 

bot (3).exe @ Trojan 

C:\Users\MabwareTips\De 

cd.exe we Trojan Deicte 
C\Users\MatwareTips\Do 

klLexe @ Trojan Quarantine ~ 


C:\Users\Malwaretips\Downloads 


exe-gpi.Scr @ Trojan 


C:\Users\MabwareTips Downloads \walwadxc 


bot (2).exe @ Trojan 


3. HitmanPro will now begin to scan your computer for any malicious files 
that may be on your machine. 


4. When it has finished it will display a list of all the malware that the 
program found as shown in the image below. Click on the “Next” button, to 


remove any virus that has been 


fiv-player.exe 
C\Users\MalwareTips\Desktop 


Re-Markable_2040-2083.exe 


C:\Users\MalwareTips\Desktop 


Re-Markable_2040-2083.exe 


C:\Users\MatwareTips\Downloads 


fiv_en_l.exe 


C-\Users\MalwareTips\Downloads 


fix_even.exe 


C\Users\MatwareTips\Downloads 


PricePeep.exe 


C:\Users \MalwareTips\Downloads 


bot (3).exe 


C\Users\MalwaretTips\Downloads 


cd.exe 


C:\Wsers\MatwareTips\Downloads\xalwdxc 


@ Riskware 
@ Riskware 


@ Riskwere 


i Riskware Qua 


@ Riskware Qua 
@ Riskware 


Trojan 


w Trojan 


@ Trojan 


rantine + 


Activate your copy of HitmanPro to remove malicious software 


Please enter the product key that you received when you purchased HitmanPro in the field below in format 
X KXXK-XAXAK-XAXAK. Activation will register the product key to this computer, 


— 


I do not have a product key 


« Activate free license 


This one-time license ts oo days 


License Information 


A HitmanPro is not activated, 


5. Click on the “Activate free license” button to begin the free 30 days 
trial, and remove all the malicious files from your computer. 


STEP 5: Remove the malicious registry keys added by 
malware with RogueKiller 


RoguekKiller is a utility that will scan for the unwanted registry keys and any 
other malicious files on your computer. 


1. You can download the latest official version of RogueKiller from the 
below links. 


O (For 32-bit machines) o 

(For 64-bit machines) 2. 
Double-click on the file named “RogueKiller.exe” (for 32-bit versions of 
Windows) or “RogueKillerX64.exe” (for 64-bit versions of Windows). 
Wait for the Prescan to complete.This should take only a few seconds, 
then click on the “Scan” button to 


La 


} K ) | CL tdlice Softwa’ 


Prescan finished. Please hit the scan button 


a Repery | taste | © roster | “anerootse | 
Status Detection Id Name 


perform a system scan. 


"Rogues (Ades a 
T ang 


CGtdlice Softw ace 


3. After the scan has completed, click on the “Delete” button to remove 
Trojan.Poweliks!gm malicious registry keys or files. 


STEP 6: Double-check for any left over infections on your computer 
with Emsisoft Anti-Malware The Emsisoft Emergency Kit Scanner 
includes the powerful Emsisoft Scanner complete with graphical user 
interface. Scan the infected PC for Viruses, Trojans, Spyware, Adware, 
Worms, Dialers, Keyloggers and other malicious programs. 


1. You can download Emsisoft Emergency Kit from the below link. 


EMSISOFT EMERGENCY KIT DOWNLOAD LINK ((This link will 
open a new web page from where you can download Emsisoft Emergency 


EMSISOFT 
EMERGENCY KIT 


Please read this agreement carefully! By installing the 
delivered software, you agree to be bound by the terms and 
conditions of the agreement below. If you do not agree to 


Kit) 


2. Double-click on the “EmsisoftEmergencyKit” icon, then click on the 
“Extract” button. 


EMSISOFT Emergency Kit 7 sa Ee x 


It is highly recommended that you run an online 
update before using the program. Do you want to 
update now? 


& fi 


eo ices] : -i ; ra 
& License: Freeware u22) Settings lea) Need assistance? 1) About 


> EMSISOFT NEWS 
no news available 


3. On your desktop you should now have a “Start Extract Emsisoft 
Emergency Kit” icon, double-click on it, then when the program will start 
allow it to update its database. 


EMSISOFT emergency Kit «= OVERVIEW = SCAN) «=—s QUARANTINE ~—s LOGS.-—CsSETTINGS >Lox 


Clean Computer 


Please choose your preferred scan type: 


Quick Scan 


Scans only active progreens and checks for malware traces, 


Smart Scan pat -wRaDReNg 
Scare all places that mmahwar aly iedects. 


Full Scan Custom Scan 
Slowest scan, Thoroughly scans all files or: all drives, Configure your own scan settings. 


Run 3 quick scan if you are quite sure that the system is clean (e.g. if you have a freshly installed operating system). 
A onart scan is the best choice for enost users. It's faster than a full scam and the chances of it faing to detect an infection are very low. 


A full scan nay take quite a while. You should choose the scan type ceily f you are not a a hurry and want all your files thoroughly scanned. 


| Performance settings | Manage whtelst On scan completion 


EMSISOFT Emergency Kit. «= OVERVIEW = SCAN. ~—s QUARANTINE —s-LOGS_-—sSEETTINGS 


Suspicious files have been detected during the scan. 
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4. Once the Emsisoft Emergency Kit has update has completed,click on the 
“Scan” tab, and perform a “Smart Scan“. 


5. When the scan will be completed,you will be presented with a screen 
reporting which malicious files has Emsisoft detected on your computer, and 
you’|l need to click on Quarantine selected objects to remove them. 


